Security Experts:

Connect with us

Hi, what are you looking for?



WordPress Flaw Allows XSS Attack via Image Filenames

WordPress users have been advised to update their installations to version 4.6.1, which fixes a couple of security flaws and over a dozen functionality bugs affecting previous versions.

WordPress users have been advised to update their installations to version 4.6.1, which fixes a couple of security flaws and over a dozen functionality bugs affecting previous versions.

According to WordPress developers, version 4.6 and earlier are plagued by two vulnerabilities. One of them, identified by Dominik Schilling of the WordPress security team, is a path traversal in the upgrade package uploader.

The second issue, discovered by Han Sahin, co-founder of Dutch security firm Securify, is a persistent cross-site scripting (XSS) flaw caused by unsafe processing of image filenames.

An advisory provided by Securify to SecurityWeek reveals that an attacker can exploit the vulnerability by inserting an XSS payload into an image file’s name. If the attacker can trick the targeted website’s administrator into uploading the malicious image via the WordPress Media Upload functionality, the payload gets executed, allowing the hacker to conduct various operations, such as stealing session tokens and login credentials.

Sahin pointed out that the targeted administrator must use operating systems like Linux and Mac OS X, which provide the extended file name capabilities necessary for the attack to work.

WordPress 4.6.1, which is considered a security release, also addresses 15 bugs, including one that involved disabling a PHP warning for security reasons.

This is the fifth WordPress security release issued this year. In versions 4.4.1, 4.4.2, 4.5.2 and 4.5.3, the content management system’s developers patched XSS, redirect bypass, information disclosure, denial-of-service (DoS), unauthorized category removal, password reset, open redirect, and server-side request forgery (SSRF) flaws.

Securify ran a month-long event in July, inviting researchers to find vulnerabilities in WordPress and WordPress plugins. The hacker event, dubbed “Summer of Pwnage,” resulted in the discovery of 120 vulnerabilities in the WordPress core and various plugins, including ones that have hundreds of thousands and even over one million active installs.

The Summer of Pwnage advisories show that there are still several vulnerabilities in the WordPress core that have not been patched.

“WordPress has a lot of security features in the code base – it is not as bad as some people in infosec might think,” Sahin told SecurityWeek in July. “The biggest problem I see is the growing number of (uncontrolled) plugins. A good suggestion would be to make an application filter in the WordPress core that forces a CSRF token on every CRUD [create, read, update, and delete] request to reduce the remote factor of issues.”

UPDATE. Securify has published the advisory describing the XSS vulnerability.

Related Reading: Stored XSS Flaw Patched in bbPress WordPress Plugin

Related Reading: Pushes Free HTTPS to All Hosted Sites

Related Reading: Hacked WordPress Sites Target Random Users

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.